Graceful Degradation With Active-Domain Registry

Mechanism

The active-domain registry is a real-time record of which cognitive domain fields are currently operational for an agent. The registry is consulted at every confidence computation and at every decision-gating step, producing a coverage vector that the agent's downstream reasoning consumes alongside its substantive outputs. When fields are unavailable due to resource constraints, deployment limitations, transient subsystem failures, or intentional configuration, the registry records which fields are missing, when they became unavailable, and what reason was supplied for their absence. The agent's confidence computation is rewritten through a coverage factor whose value is bounded above by the proportion of safety-critical fields presently active, ensuring that no quantity of optimistic reasoning over the surviving fields can lift confidence above the level that the active coverage admits.

The registry distinguishes between unavailability that is observed (a field was queried and failed to respond), unavailability that is declared (a field was disabled by configuration), and unavailability that is inferred (a field's outputs are present but stale beyond the field's own freshness contract). Each class of unavailability produces a different annotation on the coverage vector, and downstream consumers can apply class-specific policy: a declared unavailability may be acceptable for a low-stakes operation, an observed unavailability may trigger a retry and a temporary confidence floor, and an inferred staleness may trigger a forced re-evaluation before the agent acts on the affected output.

The mechanism's central novelty is that capability awareness composes with confidence rather than substituting for it. An agent without integrity tracking does not refuse to act, and it does not pretend that its actions are integrity-tracked; it acts under a confidence ceiling that reflects the absence of integrity tracking, and it announces the absence to every downstream consumer that requests its output. The same agent can be redeployed into an environment where integrity tracking is available without architectural change: the registry observes the new field, raises the coverage factor, and the confidence ceiling lifts automatically.

Operating Parameters

Each cognitive field registered with the active-domain registry carries operating parameters that govern its contribution to the coverage vector. A criticality class places the field on a scale from advisory (its absence reduces confidence by a configurable but small amount) to safety-critical (its absence triggers non-executing cognitive mode in which the agent reasons but does not act). A freshness contract specifies how recently the field's outputs must have been produced for the field to count as active; outputs older than the contract demote the field from active to stale. A stability contract specifies how stable the field's outputs must be across recent invocations; oscillating outputs demote the field from active to unstable. A dependency declaration lists fields whose absence forces this field's demotion regardless of its own operability; a planning field, for instance, depends on a forecasting field, and a planning output produced without forecasting input is treated as inactive even if the planning field itself responded.

The coverage factor is computed from the active set under a configurable aggregation function. A multiplicative aggregation produces sharp degradation when any safety-critical field is missing and graceful degradation across advisory fields. An additive aggregation with criticality weights produces smoother degradation suitable for deployments where partial operation across many advisory fields is preferable to full operation across few critical fields. A min-of-criticality aggregation, used in high-assurance deployments, sets the coverage factor to the lowest active value among safety-critical fields, ensuring that one weakened critical field bounds overall confidence.

Threshold policies translate coverage values into operational modes. Above an upper threshold, the agent operates in unrestricted mode and acts on its outputs autonomously. Between the upper and a middle threshold, the agent operates in restricted mode and refers high-stakes outputs to a supervisor before acting. Between the middle and a lower threshold, the agent operates in advisory mode and produces outputs but does not act. Below the lower threshold, the agent enters non-executing cognitive mode in which it continues to reason and report but takes no external action.

Alternative Embodiments

The mechanism admits embodiments differentiated by deployment topology. In an edge-device embodiment, the registry runs locally on resource-constrained hardware and the field set is statically configured at deployment time, with the coverage vector serialized into every output the device produces so that consuming systems can apply their own policy. In a fleet embodiment, registries on multiple devices report to a central coordinator that aggregates coverage across the fleet and produces a fleet-level coverage vector for system-wide decisions; an individual device's degradation is absorbed by the fleet so long as the fleet-level coverage remains sufficient. In a hot-swap embodiment, fields can be added and removed during operation without restarting the agent, with the registry updating coverage atomically and any in-flight reasoning re-evaluated against the new coverage before its outputs are committed.

A regulated-industry embodiment pins specific fields as mandatory: their absence forces the agent into non-executing cognitive mode regardless of other coverage, ensuring that regulatory requirements for cognitive completeness are enforced architecturally rather than procedurally. A safety-rated embodiment couples the registry to a safety monitor that records every transition into and out of non-executing mode, producing an audit trail that demonstrates the agent's behavior under degraded conditions. A capability-discovery embodiment treats the registry as queryable by external systems before delegation: a system about to delegate an operation to the agent first inspects the agent's coverage vector and only delegates operations whose criticality the agent's coverage supports.

Composition

Graceful degradation composes with the broader human-relatable intelligence framework along several seams. First, it composes with confidence reporting: the coverage vector is a structured input to every confidence value the agent produces, so consumers can distinguish between low confidence due to ambiguous evidence and low confidence due to missing capability. Second, it composes with delegation: an agent never accepts a delegated operation whose required coverage exceeds its current coverage, and never delegates an operation whose required coverage exceeds the delegate's current coverage. Third, it composes with explanation: when the agent produces an explanation of its reasoning, the explanation is annotated with the coverage under which the reasoning was performed, so a downstream reader can reconstruct exactly which cognitive fields were active at each step of the chain.

Compositional behavior with redundancy is also load-bearing. A deployment may register multiple instances of the same cognitive field, each with independent failure modes. The registry treats redundant instances as a quorum: the field is active if any required quorum of instances is active, and the coverage value reflects the strength of the surviving quorum. This produces a system in which capability degradation is gradual across redundant instances rather than binary, and in which the same architecture supports both single-instance edge deployments and fully redundant safety-rated deployments without modification.

Prior-Art Distinction

Conventional fault-tolerance approaches in agent architectures fall into two categories: fail-stop, in which the agent halts when any subsystem becomes unavailable, and fail-silent, in which the agent continues to operate without acknowledging the loss. Fail-stop systems sacrifice availability for correctness; fail-silent systems sacrifice correctness for availability. Risk-aware planning frameworks add probabilistic accounting of subsystem reliability but generally treat capability as a property of the planner rather than as a queryable, compositional property of the agent. The disclosed mechanism does not halt and does not silently degrade; it announces its degraded coverage to every consumer, bounds its actions by the coverage in force, and recovers automatically when capability returns. The capability-awareness primitive is composable across delegation, explanation, and audit, which prior fault-tolerance approaches do not provide because they do not separate capability state from cognitive output.

Disclosure Scope

This disclosure covers the active-domain registry as a first-class compositional component of an agent architecture, including the criticality, freshness, stability, and dependency parameters described above, the aggregation functions and threshold policies that translate active coverage into operational modes, the embodiments enumerated, and the compositional seams with confidence reporting, delegation, explanation, and audit. The scope extends to cognitive fields not enumerated whose registration follows the same parameter pattern, to aggregation functions not described whose behavior reduces to the threshold semantics above, and to compositional uses with downstream systems that consume coverage vectors as part of their own decision logic.

The capability-awareness primitive described herein is disclosed in U.S. Provisional Application No. 64/049,409, which fixes the active-domain registry, the coverage-vector representation, and the threshold-driven mode-selection mechanism as architectural elements separable from any particular cognitive substrate. The provisional anchors the distinction between capability state and cognitive output as a structural property of the agent rather than as an implementation choice of a given planner, so that downstream consumers of the coverage vector, whether a delegating agent, an explanation renderer, or an audit pipeline, observe the same semantics regardless of which cognitive fields the embodying system happens to register.